Date: 10/07/2025
Severity: High
Summary
Our team recently identified an attack on a misconfigured MS-SQL server involving XiebroC2, an open-source command-and-control (C2) framework similar to CobaltStrike. The attacker exploited weak credentials to gain access and attempted to install various malware, including coin miners and JuicyPotato for privilege escalation. XiebroC2 implants, written in Go, support cross-platform backdoor functionality on Windows, Linux, and macOS. Despite MS-SQL processes running with low privileges by default, attackers use Potato malware to escalate access by abusing token privileges. Once deployed, XiebroC2 enables full remote control capabilities such as reverse shells, file management, network monitoring, and more.
Indicators of Compromise (IOC) List
Domains\URLs : | http://183.196.14.213:2780/tee.exe |
IP Address : | 1.94.185.235 183.196.14.213 |
Hash : | 4cfdd0ae14185e72a74e67717c23526c
7d28a709a6ca6eef5af40f48cf7e3d12
69d8175a55f2bfc61ad52ba83274eff1d7993f69
e3a23093fb3eff348136ef066b251fcca18c5d22
9351b5edec8401e5a0daf036a9e9b75954b4aeb4ffdf8dc30d9dedfa36fff004
0212bde3715a349a6b684dd54548638b5899be8d62a1e25559937e494e3cce54
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://183.196.14.213:2780/tee.exe" or url like "http://183.196.14.213:2780/tee.exe" or siteurl like "http://183.196.14.213:2780/tee.exe" |
Detection Query 2 : | dstipaddress IN ("1.94.185.235","183.196.14.213") or srcipaddress IN ("1.94.185.235","183.196.14.213") |
Detection Query 3 : | md5hash IN ("4cfdd0ae14185e72a74e67717c23526c","7d28a709a6ca6eef5af40f48cf7e3d12")
|
Detection Query 4 : | sha1hash IN ("69d8175a55f2bfc61ad52ba83274eff1d7993f69","e3a23093fb3eff348136ef066b251fcca18c5d22")
|
Detection Query 5 : | sha256hash IN ("0212bde3715a349a6b684dd54548638b5899be8d62a1e25559937e494e3cce54","9351b5edec8401e5a0daf036a9e9b75954b4aeb4ffdf8dc30d9dedfa36fff004")
|
Reference:
https://asec.ahnlab.com/ko/90326/